Tag: owasp

OWASP Helsinki chapter meeting number 36 was held 12.2.2019 at Veikkaus premises in Pohjois-Haaga. The theme for this meeting was about software security and the topic was covered with two talks and with a card game. Here’s my short notes.

What Every Developer and Tester Should Know About Software Security

The event started with “What Every Developer and Tester Should Know About Software Security” by Anne Oikarinen from Nixu. The main point was that information security isn’t something you can sprinkle over your applications – security needs to be baked in. Take security into account in every step of your software development process, focusing on design and development.

The talk was a great overview to software security and covered the topic from three perspectives: security requirements, threat modeling and security testing. It was nicely practical and theoretical and gave good tips to tools and how to approach the issue. The presentation slides can be seen on SlideShare.

Building security in: start with security requirements and threat modeling

Venn diagram of building security in

Follow standards and best practices

Use tools for improving software security yourself

Security in Agile Development

Joakim Tauren from Visma continued the event with “Security in Agile Development”and told how they manage security in large scale. The sofware security team provides security as a service to produc teams and utilize OWASP SAMM to empower teams. The in-house built system to manage security maturity matrix was cool.

OWASP Cornucopia

The event was wrapped up with OWASP Cornucopia – a live card game session. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

The game plays like card game with six suites and cards from one to ace like normal deck of cards. Cards have security themed questions and the players try to answer in the given context if the issue at hand is a problem to be look into. In this case the context was Death Star themed with given architecture diagram.

But what does cornucopia mean? In modern depictions, the cornucopia is typically a hollow, horn-shaped wicker basket filled with various kinds of festive fruit and vegetables. In this context it would relate to can of worms :)

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting number 35 told all about bug bounty programs from hacker and organizer point of views. The event was held 6.11.2018 at Second Nature Security (2NS) premises in Keilaniemi. Here’s my short notes.

Notes from OWASP Helsinki chapter meeting #35

“Hunting for bounties in a web browser” by Juho Nurminen from 2NS started the event talks and told about how to approach the issue and showed some findings in details. For the usual of understanding the technology and focusing on what you know, it’s beneficial to read up prior art. Is it repeatable bug? Reproduce it in other context. The talk presented cve-2018-6033 (extension code can execute downloaded files), cve-2018-6039 (XSS in DevTools, privileged API can be overwritten) and cve-2011-2800 (data leak across origins). tl;dr; pwn things, submit crbug.com, profit.

In “How to become a bug bounty hunter” Iiro Uusitalo from Solita talked about bug bounty platforms and tips to be succesful. In short: POC or GTFO, recon, stay on scope, automate all the things, focus, report, wait, profit, join the community.

“Running a successful bug bounty program” by Thomas Malmberg from Hackrfi bug bounty program covered the topic from the “random dude from the other side of the table” point of view. “What really matters is finding bugs” but there’s a lot of things to manage. It comes to managing expectations of hackers and program owners. And remembering that hackers work for you (program owners) but they are not your employees.

Expectation management

“What really matters is finding bugs.” @tsmalmbe from @hackrfi told how to run a successful bug bounty program at @OWASPHelsinki meetup. Managing expectations of hackers and program owners. Remember: hackers work for you; hackers are not your employees. #OWASPHelsinki” – @walokra

The evening ended with a panel & discussion about bug bounty with Juho, Iiro and Thomas. There was lots of interesting questions asked and here’s some of them in short.

Hardware bug bounties, how to do if device not publicly available?

On premises hack days -> not so successful, too little time, concentrate on low hanging fruits.

How to choose [bug bounty] program?

Wide scope -> low hanging fruits.

What kind of reports of findings

OWASP Top 10 covers almost everything.

Everyone is scared of finding remote code execution.

Business impact findings.

Recon: who we are, what we do -> what has big business impact. Also where’s the legacy code?

Impact of how hacker and product owner sees findings? Owner will set the impact, how it should happen at both ends? how to define the final impact corresponding the value?

Always estimate, run some CVSS estimator.

Use Google’s approach.

Fairness and trust. Programs task is to create trust.

Awfraid of reporting found bugs when there’s no bug bounty program?

Program has rules which covers legal matters. Read the rules, ask.

Top 3 negative things?

Program runner went public, lots of bugs, hackers pwned whole system.

Communication issues.

Program runner: call on Friday night, database lost. bug bounty program to blame.

OWASP Helsinki Chapter held a meeting number 34 last week at Eficode with topics of
“Perfectly secure API” and “Best friends: API security & API management”. The event gave good overview to the topics covered and was quite packed with people. Eficode’s premises were modern and there was snacks and beverages. And also a sauna. Here is a short recap of the talks.

OWASP Helsinki Chapter Meeting 34

Perfectly secure API

Matti Suominen from Nixu talked about perfectly secure API and things related to get there. Can API be secure? On gut feeling APIs seems to be rubbish and have problems. He covered the topic from three view points: security, risks and defense. Good starting point is to read OWASP resources like ASVS, Top 10 and Security cheat sheet. Also implement security centrally, involve business in design and DIY never works out.

Best friends: API security & API management

Antti Virtanen from Solita talked about API security and API management and how we’ve traveled from dark ages to modern times. You can do API security with tools like Amazon AWS API Gateway but the main point was to step further with API management. Use some already made products like Apigee and open source alternative Tyk.io. Slides are available in Slideshare.

Snacks and beverages

Security is important part of software development and often it doesn’t get enough attention or developers don’t know enough about it. I have been following Troy Hunt on Twitter for some time and as he was coming to Owasp Helsinki Chapter Meeting #27 it was great opportunity to hear about application security at first hand. Especially about hacking yourself first. The event was held at Life Science Center in Keilaranta and although it didnt’ provide much new information about security and how to protect against hackers, it was nice event. The event consisted talks presented by Troy Hunt: 50 Shades of AppSec and Hack yourself first.

50 Shades of AppSec

50 Shades of AppSec

The first talk was “50 shades of appsec” which covered a broad spectrum of what’s happening in our industry and how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy covered everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.

There was some nice bad examples how not to do things and hilarious examples how even criminal masterminds are fallible. Asking questions in StackOverflow with an account tied to your real identity, take a photo with iPhone and not clearing the EXIF data (which has location info).

“50 Shades of AppSec” talk didn’t provide much new information which I wouldn’t have read from Twitter or other news sources but was entertaining anyways. Good presentation matters.

Hack yourself first

If you’re protecting applications against attacks it’s good to know how attackers can exploit your application’s security holes. The online attacks against websites has accelerated quickly and the same risks continue to be exploited. These are often easily identified directly within the browser; it’s just a matter of understanding the vulnerable patterns to look for.

Troy Hunt’s “Hack Yourself First” talk was about developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does. It looked at website security from the attacker’s perspective and how to exploit common risks in a vulnerable web application. As usual the issues were quite basic information and could be easily identified and fixed with right knowledge and tools like Havij and Fiddler.

One interesting example was to use Fiddler to proxy your device’s traffic and look how remote server communicates with it and even decrypt HTTPS. You can e.g. edit request and response and change values sent to mobile. One example is to change the value for admin and see if the mobile application validates it on every request or do you really get admin rights to the application or service. Practical example was capture the traffic sent to British Airways mobile app and see the WiFi password list for free WiFi.

Or is it?

Second interesting example was about using WiFi Pineapple. To trick devices to connect with “known” wireless network, capture and circumvent it’s traffic. You did know that devices broadcasts the SSIDs they have previously connected and with devices like Pineapple you can easily see it and then do some magic.

WiFi Pineapple and captured SSIDs.

Q & A and afterwords

Views from Life Science Center Sauna

The questions and answers section was quite active as security is an interesting topic. There were good questions like how do you verify companies you use, like you’re using Freedome from F-Secure? It’s about choosing the least risky option. Better than WiFi at airport without VPN. You don’t really know.

Other interesting topic was about how security people don’t understand development and developers don’t understand security. It’s about working together and not just security people saying “There are vulnerabilities, fix those.” More cooperation would be better and it needs support from higher up to work together.

Afterwards the event had reserved the sauna on the 7th floor which provided also nice views over Laajalahti and some refreshments. Time to network and try to do small talk although I’m not the most social person. I wasn’t surprised that Troy didn’t join us to the sauna but it was nice that he had some time to talk in the lounge.

I didn’t get the Owasp sticker but I got some crafty swag from Nixu and Troy also provided one month free pass for Pluralsight which has courses to educate yourself

One of the crafty takeouts from the event camera cover sticker for laptop. Who is paranoid about infosec?

Will be busy month after to see all Pluralsight courses

Thanks to the organizers and event sponsor Nixu. Nicely noticed that Hunt is in Europe and to get him to talk about security. I also got a ride home with some good tips about restaurants in Tallinn which was nice. Thumbs up.